Event Search

News in a Minute Weekly Roundup | Oct. 6

October 06, 2017

By Marcos Colón

A roundup of the top news stories in information security this week, including Equifax stalling on installing a patch that ultimately resulted in its data breach, Yahoo revealing that their 2013 data breach was much bigger than expected, and updates to Netgear products.

DATA BREACHES

Equifax Stalled on Patching Vulnerability That Led to Data Breach

In testimony delivered to Congress on Tuesday, former Equifax CEO Richard Smith disclosed that the company was alerted to a software security vulnerability in March, but failed to address it immediately. Ultimately, the vulnerability led to the recent data breach that impacted more than 140 million Americans. “It appears that the breach occurred because of both human error and technology failures,” Smith said.

A total of 50 patches were issued to address vulnerabilities in Netgear products which include routers, switches, NAS devices, and wireless access points. Of the total number of vulnerabilities, 20 were deemed as “high” security risks, with the remaining receiving a “medium” score. The advisories tied to the vulnerabilities were posted over the last two weeks.

This week, Yahoo shared that the massive 2013 data breach that impacted more than one billion user accounts is much bigger than it previously reported. A total of three billion accounts existing in 2013 “had likely been affected,” the company said in a statement. Following a forensic investigation, the company now believes that all of its Yahoo user accounts at the time were compromised.

While many attackers opt to stick to the success of the original phishing emails sent out to their targets, cyber miscreants have been especially persistent in a recent campaign. CSO Online’s Salted Hash reported on an Office 365 phishing campaign occurring since late 2016, and have indicated that attackers sent a follow-up email just two weeks following their initial message, with a third email arriving shortly after that.

BoA’s Chief Tech Officer Says Company to Spend $600M on Infosec This Year

The larger the enterprise, the more the security spend. While that’s a commonly accepted assumption, one technology leaders shared just how much her organization was spending on security this year. Bank of America Corp’s chief operations and technology officer Cathy Bessant said in a recent interview with CNBC that when all is said and done, the company would be spending a total of $600 million on information security this year.

On October 1, new anti-privacy laws went into effect in Russia. The lawns allow for faster blocking of all proxies and mirror of banned websites. Additionally, search engines are not allowed to advertise on sites. Additional anti-privacy laws will go into effect after November 1, when Russia plans to block VPN services.

New standards have been released that are aimed at bolstering the security of the system the internet’s core routers use to direct traffic. The Border Gateway Protocol (BGP) Path Validation draft standards are designed to ensure that Internet traffic is coming from a safe and reliable source.

Officials believe that Russia’s digital warfare campaign has spread to individual soldiers. According to a report by The Wall Street Journal, individual NATO soldiers - specifically those deployed to Poland and the Baltic states - are having their mobile phones compromised by Russian state-sponsored attackers. In addition to comprising phones, intruders are also taking over their Facebook accounts.

As MISTI’s content marketing lead, Marcos spearheads the brand’s content marketing strategy, implementing a process to deliver high-quality insight to information security and internal audit professionals. Prior to working with MISTI, he served as the online editor for the award-winning SC Magazine, a prominent B2B IT security publication. He also served as a senior editor at NewsCred, a prominent content marketing agency, where he provided content strategy guidance for leading brands that include Discover, IBM, Visa and Bloomberg.

MISTI Newsletters

Quick Links

MIS Training Institute is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: www.nasbaregistry.org.